NFC payments are taking over the world — or at least revolutionizing how we pay for goods in stores. In case you’re not aware, the technology is booming in much of Europe, Canada, and Asia.

The UK wants all point of sale terminals to be contactless by 2020, while more than 53 percent of Australians use an NFC app at least once per week. In China, NFC payment systems have become so prevalent that experts believe the country is on track to become the first cashless society within just a few short years.

The United States is a bit behind the curve, but gaining ground rapidly. Businesses such as McDonalds and Walgreens now offer contactless payments, with many more coming online all the time.

Chevron and Walmart both need to get with the times and get Apple Pay. It’s killing me.

Tokenization works thanks to a complicated process of encryption. After you’ve entered your credit card details into the app, the device encrypts them and sends them to Apple’s servers. Upon receipt of the numbers, Apple decrypts them, adds your card’s payment network, and re-encrypts them with a key that only your card network can unlock.

The provider then authorizes the addition of the card, creates a device-specific Device Account Number (DAN), encrypts it, and sends it to Apple. Apple can’t decrypt it. Finally, Apple adds the DAN to the Secure Element (SE) on your phone. The Secure Element is an industry-standard technology which we’ll talk more about shortly.

“Apple sends information about your iTunes and App Store account activity, information about your device, information about your device usage, and your location at the time that you add your credit, debit, or prepaid card to your bank or card issuer.”

Sounds worrying.

Android Pay

Many of the core security features of Android Pay are the same as Apple Pay. The process of tokenization is broadly similar, but with one fundamental difference.

Instead of using the Secure Element to generate tokens, Android Pay uses a process known as Host Card Emulation (HCE).

Host Card Emulation has been part of the Android operating system since version 4.4. Instead of hosting payment credentials on a Secure Element inside a device, HCE places them in a remote environment and uses the cloud to communicate with the device.

This has some key benefits over a physical SE:

The storage space of a physical SE is limited, HCE storage is scalable.

An HCE element can draw on more computing power and thus implement more robust security measures.

However, there is one security drawback: because HCE relies on a remote Secure Element, it has to allow you to make payments while you’re offline. It’s like using a temporary credit card.

The window of opportunity doesn’t last long; eventually, you’ll have to reconnect to the server before you can make more payments. But it does mean that someone who comes into possession of your device and who knows your PIN number could disable your Wi-Fi and go on a mini-spending spree before you have time to react. The risk is minimal, but it exists.

Samsung Pay

The last one of the “big three” NFC payment apps is Samsung Pay. It’s the South Korean company’s answer to Apple Pay. Like Apple Pay, it’s a proprietary app that only runs on Samsung products.

Before we get into the app’s security details, it’s worth mentioning one feature that’s not offered by either Android or Apple. Samsung Pay supports NFC point-of-sale terminals and also works with the ubiquitous Magnetic Secure Transmission (MST) and Europay MasterCard Visa (EMV) readers. As such, it’s a more holistic product.

Samsung falls back on Samsung Knox to guard against suspicious activity. In turn, Knox is built on the ARM TrustZone architecture. TrustZone security has three facets, the TIMA KeyStore, real-time kernel protection, and attestation

When making payments, all three apps are very similar. You’ll need to use your PIN or biometric ID to authorize each payment. For larger amounts, you’ll typically have to supply a signature as well. Because of the tokenization process, the vendor will never see your card details.

If you lose your phone, you can use an online app that can block and wipe the Samsung Pay app remotely.

If you follow the tech news, you’ll occasionally see stories pop up that expose flaws in NFC apps. For example, in August 2016, a security researcher argued Samsung Pay’s tokens were not sufficiently randomized and could become predictable.

Similarly, in March 2016, experts argued criminals could load stolen credit cards onto Apple Pay, use them for a brief time, then discard the phone.

Of course, the situation is worrying. But NFC apps are all more secure than using cash and the traditional signature-to-authorize credit cards. Most importantly, as the technology matures further, the security of the apps is only going to improve.

Do You Use NFC Apps?

In this article, we’ve given you a brief introduction to the security features offered by three of the biggest payment apps in Europe and North America.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

George

October 28, 2017 at 12:45 am

OK, I know you’re all geeks, but starting a sentence, in fact the whole article with an undefined acronym is poor writing. Not once did you mention what NFC meant. Proper tech writing requires the spelling out of a term with the acronym in parentheses for the first use, use of acronym OK thereafter. E.g.: Near Field Communication (NFC) is becoming commonplace, but not as commonplace as the expression “Tap to Pay” is for the layperson.

Lose your credit card - even if someone charges a trip to Las Vegas or whatever -- your bank will likely reimburse you if you report the theft 'in a timely manner' (usually within 30-60 days).

Lose your phone (with the payment app and NFC feature) - the thief is unlikely to be able to buy or charge stuff without knowing your screen lock password. And even if the thief somehow could -- again, the issuing bank(s) of your credit cards will likely make you whole once you report the loss.

Dan is a British expat living in Mexico. He is currently a Senior Writer for MakeUseOf. At various times, he has been the Social Editor, Creative Editor, and Finance Editor. Prior to his writing career, he was a Financial Consultant.